lectures on separation logic. lecture 1: basics, fluency€¦ · lecture 1: basics, fluency peter...
TRANSCRIPT
Lectures on Separation Logic.Lecture 1: Basics, Fluency
Peter O’Hearn
Queen Mary, University of London
Marktoberdorf Summer School, 2011
Thursday, August 11, 2011
Plan
� Lecture 1 : Basics, Fluency, Examples
� Lecture 2 : Foundations
� Lecture 3 : Cooking an Automatic Program Analyzer
� Lecture 4 : A New Recipe from East London
2Thursday, August 11, 2011
Lecture I
Fluency, Examples
Sources
� O’Hearn-Reynolds-Yang, CSL’01: Local reasoning about programsthat alter data structures
� Reynolds, LICS’02: Separation Logic: A logic for shared mutable datastructure.
� Hoarefest’00 paper of Reynolds, POPL’01 paper of Ishtiaq-O’Hearn,BSL’99 paper of O’Hearn-Pym, MI’72 paper of Burstall
4Thursday, August 11, 2011
Separation Logic
x|->y * y|-> x
x y
5Thursday, August 11, 2011
Separation Logic
x|->y * y|-> x
x y
6Thursday, August 11, 2011
Separation Logic
x|->y
x y
7Thursday, August 11, 2011
Separation Logic
y|-> x
x y
8Thursday, August 11, 2011
Separation Logic
x|->y * y|-> x
x y
9Thursday, August 11, 2011
Separation Logic
x|->y * y|-> x
x y
x=10
y=4242
10 42
10
10Thursday, August 11, 2011
Separation Logic
x|->y * y|-> x
x y
x=10
y=4242
10 42
10
11Thursday, August 11, 2011
Separation Logic
x|->y
x y
x=10
y=4242
10
12Thursday, August 11, 2011
Separation Logic
y|-> x
x y
x=10
y=42
42
10
13Thursday, August 11, 2011
Separation Logic
x|->y * y|-> x
x y
14Thursday, August 11, 2011
Heaplets (heap portions) as possible worlds (i.e., a kind of
modal logic)
� Add to Classical Logic:� emp : “the heaplet is empty”� x �→ y : “the heaplet has exactly one cell x , holding y”� A ∗ B : “the heaplet can be divided so A is true of one partition and B
of the other”.
� Add inductive definitions , and other more exotic things (“magicwand”, “septraction” ) as well.
� Standard model: RAM model
heap : N �f Z
and lots of variations (records, permissions, ownership... more later).
15Thursday, August 11, 2011
Heaplets (heap portions) as possible worlds (i.e., a kind of
modal logic)
� Add to Classical Logic:� emp : “the heaplet is empty”� x �→ y : “the heaplet has exactly one cell x , holding y”� A ∗ B : “the heaplet can be divided so A is true of one partition and B
of the other”.
� Add inductive definitions , and other more exotic things (“magicwand”, “septraction” ) as well.
� Standard model: RAM model
heap : N �f Z
and lots of variations (records, permissions, ownership... more later).
15Thursday, August 11, 2011
Heaplets (heap portions) as possible worlds (i.e., a kind of
modal logic)
� Add to Classical Logic:� emp : “the heaplet is empty”� x �→ y : “the heaplet has exactly one cell x , holding y”� A ∗ B : “the heaplet can be divided so A is true of one partition and B
of the other”.
� Add inductive definitions , and other more exotic things (“magicwand”, “septraction” ) as well.
� Standard model: RAM model
heap : N �f Z
and lots of variations (records, permissions, ownership... more later).
15Thursday, August 11, 2011
A Substructural Logic
A �� A∗A
10 �→ 3 �� 10 �→ 3 ∗ 10 �→ 3
A∗B �� A
10 �→ 3 ∗ 42 �→ 5 �� 10 �→ 3
16Thursday, August 11, 2011
An inconsistency: trying to be two places at once
10|->3 * 10|->3
10 10
17Thursday, August 11, 2011
In-place Reasoning
{(x �→ –) ∗ P} [x ]:= 7 {(x �→ 7) ∗ P}
18Thursday, August 11, 2011
In-place Reasoning
{(x �→ –) ∗ P} [x ]:= 7 {(x �→ 7) ∗ P}
{true} [x ]:= 7 {??}
18Thursday, August 11, 2011
In-place Reasoning
{(x �→ –) ∗ P} [x ]:= 7 {(x �→ 7) ∗ P}
{true} [x ]:= 7 {??}
{P ∗ (x �→ –) } dispose(x) {P}
18Thursday, August 11, 2011
In-place Reasoning
{(x �→ –) ∗ P} [x ]:= 7 {(x �→ 7) ∗ P}
{true} [x ]:= 7 {??}
{P ∗ (x �→ –) } dispose(x) {P}
{true} dispose(x) {??}
18Thursday, August 11, 2011
In-place Reasoning
{(x �→ –) ∗ P} [x ]:= 7 {(x �→ 7) ∗ P}
{true} [x ]:= 7 {??}
{P ∗ (x �→ –) } dispose(x) {P}
{true} dispose(x) {??}
{P} x = cons(a, b) {P ∗ (x �→ a, b)} (x �∈ free(P))
18Thursday, August 11, 2011
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E �→tl : y ∗ lseg(y ,F )
lseg(x , y) ∗ lseg(y , x)
x
y
19Thursday, August 11, 2011
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E �→tl : y ∗ lseg(y ,F )
lseg(x , t) ∗ t �→[tl : y ] ∗ list(y)
x t y
19Thursday, August 11, 2011
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E �→tl : y ∗ lseg(y ,F )
Entailment lseg(x , t) ∗ t �→[tl : y ] ∗ list(y) � list(x)
x t y
19Thursday, August 11, 2011
Linked ListsList segments (list(E ) is shorthand for lseg(E , nil) )
lseg(E ,F ) ⇐⇒ if E = F then emp
else ∃y .E �→tl : y ∗ lseg(y ,F )
Non-Entailment lseg(x , t) ∗ t �→nil ∗ list(y) �� list(x)
x t y
19Thursday, August 11, 2011
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E �→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p �= nil}
i := x→ l ; j := x→ r ;
dispose(p);
{ tree(i) ∗ tree(j)}
20Thursday, August 11, 2011
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E �→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p �= nil}{(p �→l : x �, r : y �) ∗ tree(x �) ∗ tree(y �)}i := x→ l ; j := x→ r ;
dispose(p);
{ tree(i) ∗ tree(j)}
20Thursday, August 11, 2011
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E �→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p �= nil}{(p �→l : x �, r : y �) ∗ tree(x �) ∗ tree(y �)}i := x→ l ; j := x→ r ;
{(p �→l : i , r : j) ∗ tree(i) ∗ tree(j)}dispose(p);
{ tree(i) ∗ tree(j)}
20Thursday, August 11, 2011
In-place reasoning and Inductive Definitions
Example Inductive Definition:
tree(E ) ⇐⇒ if E=nil then emp
else ∃x , y . (E �→l : x , r : y) ∗ tree(x) ∗ tree(y)
Example Proof:
{tree(p) ∧ p �= nil}{(p �→l : x �, r : y �) ∗ tree(x �) ∗ tree(y �)}i := x→ l ; j := x→ r ;
{(p �→l : i , r : j) ∗ tree(i) ∗ tree(j)}dispose(p);
{emp ∗ tree(i) ∗ tree(j)}{ tree(i) ∗ tree(j)}
20Thursday, August 11, 2011
Extended In-place Reasoning
� Spec{tree(p)} DispTree(p) {emp}
� Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
21Thursday, August 11, 2011
Extended In-place Reasoning
� Spec{tree(p)} DispTree(p) {emp}
� Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
21Thursday, August 11, 2011
Extended In-place Reasoning
� Spec{tree(p)} DispTree(p) {emp}
� Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);{emp ∗ emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
21Thursday, August 11, 2011
Extended In-place Reasoning
� Spec{tree(p)} DispTree(p) {emp}
� Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);{emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
21Thursday, August 11, 2011
Back in the day...(before Sep Logic)
� procedure DispTree(p)local i , j ;if p �=nil then
i = p�l ; j := p�r ;DispTree(i);DispTree(j);dispose(p)
22Thursday, August 11, 2011
Back in the day...(before Sep Logic)
�� procedure DispTree(p)local i , j ;if p �=nil then
i = p�l ; j := p�r ;DispTree(i);DispTree(j);dispose(p)
� An Unhappy Attempt to Specify
{tree(p) ∧ reach(p, n)}DispTree(p){¬allocated(n)}
22Thursday, August 11, 2011
Back in the day...(before Sep Logic)
� procedure DispTree(p)local i , j ;if p �=nil then
i = p�l ; j := p�r ;DispTree(i);DispTree(j);dispose(p)
� An Unfortunate Fix
{tree(p) ∧ reach(p, n)∧¬reach(p,m) ∧ allocated(m) ∧m.f = m� ∧ ¬allocated(q)}DispTree(p){¬allocated(n)∧¬reach(p,m) ∧ allocated(m) ∧m.f = m� ∧ ¬allocated(q)}
22Thursday, August 11, 2011
Back in the day...(before Sep Logic)
� An unhappy proof
23Thursday, August 11, 2011
Extended In-place Reasoning
� Spec{tree(p)} DispTree(p) {emp}
� Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);{emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
21Thursday, August 11, 2011
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 � C2{Q1 ∗ Q2}
With this rule we can’t prove racy programs like
{10 �→ –}[10]:= 42 � [10]:= 6
{??}
25Thursday, August 11, 2011
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 � C2{Q1 ∗ Q2}
With this rule we can’t prove racy programs like
{10 �→ –}[10]:= 42 � [10]:= 6
{??}
We cannot send 10 to both processes in their preconditions, since
(10 �→ –) ∗ (10 �→ –)
is false. But...
25Thursday, August 11, 2011
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 � C2{Q1 ∗ Q2}
Preconditions can pick out race-free start-states, when they exist:
{x �→ 3} {y �→ 3}[x ]:= 4 � [y ]:= 5{x �→ 4} {y �→ 5}
25Thursday, August 11, 2011
A Bit of Concurrency
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 � C2{Q1 ∗ Q2}
Preconditions can pick out race-free start-states, when they exist:
{x �→ 3 ∗ y �→ 3}{x �→ 3} {y �→ 3}[x ]:= 4 � [y ]:= 5{x �→ 4} {y �→ 5}
{x �→ 4 ∗ y �→ 5}
That ‘proof figure” is an annotation form for
{x �→ 3} [x ]:= 4 {x �→ 4} {y �→ 3} [y ]:= 5 {y �→ 5}
{x �→ 3 ∗ y �→ 3} [x ]:= 4 � [y ]:= 5 {x �→ 4 ∗ y �→ 5}25
Thursday, August 11, 2011
Extended In-place Reasoning
� Spec{tree(p)} DispTree(p) {emp}
� Rest of proof of evident recursive procedure
{tree(i)∗tree(j)}DispTree(i);{emp ∗ tree(j)}DispTree(j);{emp}
{P}C{Q}{P∗R}C{Q∗R} Frame Rule
24Thursday, August 11, 2011
Example: Parallel Mergesort
{array(a, i , j)}procedure ms(a, i , j)newvar m:= (i + j)/2;if i < j then�
ms(a, i ,m) � ms(a,m + 1, j)�;
merge(a, i ,m + 1, j);{sorted(a, i , j)}
�
28Thursday, August 11, 2011
Example: Parallel Mergesort
{array(a, i , j)}procedure ms(a, i , j)newvar m:= (i + j)/2;
if i < j then�ms(a, i ,m) � ms(a,m + 1, j)
�;
merge(a, i ,m + 1, j);{sorted(a, i , j)}
� Can’t prove with disjoint concurrency rule
{P}C{Q} {P �}C �{Q �}{P ∧ P �}C � C �{Q ∧ Q �}
where C does not modify any variables free in P �,C �,Q �, and
conversely. Because: Hoare logic treats an assignment to an array
component as an assignment to the whole array.
28Thursday, August 11, 2011
a[i]:=v modelled as a:=(a|v|->i)
a[3]:=7 and a[8]:=22
treated theoretically as altering SAME variable
That is, in Trad Hoare logic
In Sep Logic, the heap (or array) is not monolothic, but is decomposed into
many littler “heaplets”.
More on that (semantics) in Lecture 2
Thursday, August 11, 2011
Example: Parallel Mergesort
{array(a, i , j)}procedure ms(a, i , j)newvar m:= (i + j)/2;
if i < j then�ms(a, i ,m) � ms(a,m + 1, j)
�;
merge(a, i ,m + 1, j);{sorted(a, i , j)}
� Can’t prove with disjoint concurrency rule
{P}C{Q} {P �}C �{Q �}{P ∧ P �}C � C �{Q ∧ Q �}
where C does not modify any variables free in P �,C �,Q �, and
conversely. Because: Hoare logic treats an assignment to an array
component as an assignment to the whole array.
28Thursday, August 11, 2011
In Separation Logic1
� We just use the given pre/post spec.
{array(a, i ,m) ∗ array(a,m + 1, j)}{array(a, i ,m)} {array(a,m + 1, j)}ms(a, i ,m) � ms(a,m + 1, j){sorted(a, i ,m)} {sorted(a,m + 1, j)}
{sorted(a, i ,m) ∗ sorted(a,m + 1, j)}
� Concurrency proof rule:
{P1}C1{Q1} {P2}C2{Q2}{P1 ∗ P2}C1 � C2{Q1 ∗ Q2}
1a[i ] is sugar for [a + i ] in RAM model29
Thursday, August 11, 2011
Main Points
� ∗ lets you do in-place reasoning
� ∗ interacts well with inductive definitions
� powerful way to avoid writing frame axioms
� Pre/post specs tied to footprint (describe “local surgeries”)
� Slogan: Simple proofs, for simple programs
26Thursday, August 11, 2011
Main Points
� ∗ lets you do in-place reasoning
� ∗ interacts well with inductive definitions
� powerful way to avoid writing frame axioms
� Pre/post specs tied to footprint (describe “local surgeries”)
� Slogan: Simple proofs, for simple programs
26Thursday, August 11, 2011
Main Points
� ∗ lets you do in-place reasoning
� ∗ interacts well with inductive definitions
� powerful way to avoid writing frame axioms
� Pre/post specs tied to footprint (describe “local surgeries”)
� Slogan: Simple proofs, for simple programs
26Thursday, August 11, 2011